PDF version

Transcription

PDF version
Shutterstock © Maksim Kabakou
magazine
NEWS AND VIEWS
4 From
ESET’s security experts
WELCOME
Welcome to the first edition of We Live Security, a magazine which showcases
the expertise of security software pioneer ESET, which has been protecting
computer users for more than 25 years. Our expertise is showcased online
at www.welivesecurity.com in English, German and Spanish. Millions of
users around the world now rely on ESET security software to protect their
businesses and digital devices, enjoying safer technology through innovation
and education.
evolved from a pioneer in antivirus software to an award winning provider of
multiple security solutions to combat the latest cyber threats. Today’s solutions
include ESET Secure Authentication, designed to meet the needs of a workforce
who need to safely log into their work network from anywhere, and ESET
Mobile Security for Android, offering mobile workers a security solution which
not only scans for malware on mobile devices, but also protects against theft
and phishing attacks.
Products like ESET Endpoint Security, ESET Smart Security and ESET NOD32
Antivirus are benchmarks for security solutions around the world, providing
multiple levels of protection against malware. The ESET LiveGrid global
detection reporting system keeps our researchers on top of the latest
threats,while heuristic technologies - pioneered by ESET – block emerging
threats even before they are widely detected.
It all seems far removed from 1987, when two young programming enthusiasts,
Peter Paško and Miroslav Trnka, discovered one of the world’s first IBM PC
computer viruses. They dubbed it “Vienna” and wrote a program to detect it.
Now, with a presence in more than
180 countries, ESET detects hundreds
of thousands of new malware
variants a day, and protects users
against a wide range of threats,
new and old, in a complex world
of ubiquitous computing, mobile
devices, and constant connectivity. In
DO MORE
Whether you’re a start-up or a global operation, ESET’s I.T. security
products are fast, easy to use, and deliver market-leading digital threat
detection. We deliver the protection that allows you to DO MORE with
your business. Find out more at ESET.COM
10
12
14
16
20
PRIVACY FIRST
For businesses, it’s not a luxury
IN SAFE HANDS
ESET protects SharePoint
SYSTEM ADMINISTRATORS
How to stay friends with yours
WORLD IMMUNE SYSTEM
How to help fight malware
26
How scary is the Internet of Things?
28
32
35
36
38
40
44
ESET, NOD32 and LiveGrid are trademarks of ESET spol s r.o., registered in Slovakia, the European Union, U.S.
WINDIGO: A VICTIM SPEAKS
Cybercrime’s collateral damage
How ESET’s system works
Raphael Labaca Castro
www.welivesecurity.com
CYBER FIT?
Keep your health data private
22
42
Editor-In-Chief
HEALTHY APPROACH
An industry faces new threats
WHY YOU NEED CRYPTO
19 ESET’s
encryption solutions
Technology™.
short, we help the world Enjoy Safer
and other countries.
8
15
During more than two decades in the information security industry, ESET has
FOR YOUR BUSINESS WITH
I.T. SECURITY SOFTWARE
FROM ESET
STUCK ON WINDOWS XP?
6 Emergency
steps to take
46
SECURE AUTHENTIFICATION
FROZEN WITH FEAR
WHITE GOODS GONE BAD
Weird tales of fridges gone wild
STRAIGHT TALKING
ESET experts fight back
BUSINESS PROTECTION
8 tips for avoiding big phish…
SCAM-SPOTTER’S GUIDE
How to spot bank fraud attacks
A NEW ROUTE IN
Five tips to secure your router
POLICY DECISIONS
Why clear security policies matter
THE WEAKEST LINK
Passwords: make yours stronger
MOBILE SECURITY
Stay secure on Android
COMPUTER SCIENCE
Why education is the key
NEWS & VIEWS
Spyware
tracking sees
dramatic
increase
Windigo Team
© Rex
NEWS
security industry
news and views
ESET wins Virus Bulletin award
By Raphael Labaca Castro, Editor-In-Chief
In March 2014, ESET’s research
team released a significant report
on Operation Windigo, for which
we were recently given the Péter
Szőr Award at the 24th Virus
Bulletin International Conference.
The group responsible is using infected
servers to send spam, redirect traffic to
malicious content and steal more server
credentials to widen their campaign.
The report is only part of the results
of our efforts. The primary purpose of
our investigation is to understand
emerging threats and to ensure users
are protected. We’re blocking hundreds
of thousands of Web requests daily,
ensuring Operation Windigo’s malicious
content never reaches its victims.
4 welivesecurity.com
We’ve also collaborated with various
international organizations and
notified many infected entities to help
them clean up their servers.In addition,
whenever we find information that
provides hints as to the identity of the
culprits, we pass it to the police.
Commenting on the award, John
Hawes, Chief of Operations at Virus
Bulletin said, “ESET Canada are worthy
winners of this award in memory of the
great Péter Szőr. The depth and breadth
of the Operation Windigo investigation,
the use of a range of groundbreaking
techniques, and the high level of
collaboration with other researchers
and affected parties are all very much in
the spirit of Péter’s own excellent work.”
25,000 infected
sites found
500,000 users
DAILY directed to
malicious content
35 million spam emails
sent EVERY 24 HOURS
ESET awarded Peter
Szor Award at 24th
VB International
Conference
The use of spyware to track a
partner’s movements, texts and
phone calls is on the rise.
A recent survey by UK domestic
violence charity Women’s Aid found
that 41% of domestic abuse victims
had been the subject of harassment
using electronic devices or spyware
that tracked their movements, calls
or texts.
“We increasingly hear stories of
abusers adding tracking software
to phones, placing spyware on
personal computers and using the
Internet to gather information about
their partner,” says Polly Neate, CEO
of Women’s Aid.
“In many cases the police are not
trained to recognize and understand
the impact of online abuse, including
tracking, and action is rarely taken
against abusers.”
THE TEAM
Three members of the team
behind the Windigo paper
share their stories.
ALEXIS DORAIS-JONCAS
An ESET employee since 2010, Alexis cocreated the ESET Canada office back in
2011 and is currently security intelligence
team lead. Alexis lists the Festi botnet as
his most hated piece of malware.
Can we predict who will
fall for phishing scams?
By David Harley, Senior Research Fellow, ESET
User profiling is an interesting
approach to countering phishing.
But another – supplementary –
approach would be to analyze the
behavior of the PC user and use that
analysis to flag risky behavior and
attempt some sort of remediation.
One idea in a corporate product
would be to alert not only the user, but
the system administrator, who might
recommend training, for instance. In
a training tool, risky behavior might
be addressed by switching the subject
to a different, more intensive module.
I’d think that would be compatible
with the future research envisaged by
the authors of the paper Keeping Up
With the Joneses: “Assessing Phishing
Susceptibility In An Email Task”
presented by Kyung Wha Hong of North
Carolina State University.
In fact, there’s a great deal of academic
literature out there on susceptibility to
phishing. What is less clear to me is how
you develop a profile while avoiding the
pitfalls of stereotyping through oversimplification of social representation.
The authors of the “Phishing
Susceptibility” paper seem to have
a profile in mind already. While it’s
unsurprising that dispositional trust
affects susceptibility to phishing,
the study also suggests that gender,
introversion and openness to new
experiences were also a factor.
However, it’s not always clear which
way those factors work – or indeed
how representative the population of
participants (53 American undergrads
aged between 18 and 27) is to the
population as a whole. Meanwhile, the
phishers keep honing their attacks.
MARC-ETIENNE M.LÉVEILLÉ
Marc-Etienne has been a malware
researcher at ESET since 2012 and
says his biggest Internet challenge is
malware that steals money and destroys
documents. Which explains
his interest in Windigo…
SÉBASTIEN DUQUETTE
A computer science graduate from
Université du Québec à Montréal,
Sébastien’s golden rule is ‘keep your
software up to date’. As a malware
researcher for ESET, he says exploit kits
are his biggest pet peeve.
welivesecurity.com 5
NEWS & VIEWS
Shutterstock © Iaroslav Neliubov
By Aryeh Goretsky, Distinguished Researcher, ESET
Millions of PCs around the world
still run Windows XP – despite
Microsoft no longer providing
security updates. If you cannot
get away from the old operating
system yet, there are things you
can do to defend your machines.
The first thing is to make sure
you back up your computer’s files
regularly, and periodically test your
backup strategy by restoring backups
– preferably on a different computer– a
few times a year. This helps ensure that
in the event of a catastrophe, you will
still have access to your information.
The time to worry about your backups
is not when faced with a virus, fire,
earthquake or other calamity.
Next, make sure that your copy of
Windows XP is up to date. Although
Microsoft stopped making new patches
for the operating system after April 8,
2014, all of the old updates from before
then will still be available, and should
be downloaded. This also applies to the
6 welivesecurity.com
device-driver software (a device driver
is a computer program that allows the
operating system to communicate with
a particular kind of hardware), which
may be available from your computer
manufacturer or Microsoft’s Windows
Update Website.
You should also make sure you have
the latest versions of the application
software on the computer, and that
these are fully patched and updated.
Software like Adobe Flash, Adobe
Reader and Oracle Corp’s Java are
frequently targeted by criminal gangs
who develop and use malware, so
keeping these up-to-date is just
as important as looking after your
operating system. Other software that
you use, such as Microsoft Office, Web
browsers and so forth, should be on
the newest version and have the most
recent patches applied as well.
If you don’t need the Web, disconnect
or disable the connection so that the PC
can only connect to other machines on
the same non-Internet network. This
will ensure that Internet-borne threats
cannot directly attack your XP PC, and
will make it harder for an attacker to
steal data off the computer.
Make sure your security software
is up to date, too. There are lots
of security programs available for
Windows XP, and most of their authors
have committed to supporting the
operating system for years to come.
Some are free, while others are sold
as a subscription. A discussion of the
features needed to protect Windows XP
is outside the scope of this article, but
at the very least, I would recommend
looking for a security program that
combines signature-based and
heuristic detection, includes a firewall
and has some kind of host-intrusion
protection system. Vulnerability
shielding and exploit blocking will be
useful, too, as Windows XP will no
longer be updated by Microsoft to
protect against these types of attacks.
Down
1 Round off egg-shaped function,
which returns no value (4)
2 Freak NMS worm? Even you will pay
this to rescue kidnapped data (6)
3 After college, put away documents
left out, then joined up, as seen in
multi-function appliance (7)
4 Apple system connects to East
European TLD, an old hiding place
for document threats (5)
5 To surf the Web, plumber’s enemy
has to shift his bottom up a few
notches (6)
6 Going for a gentle walk, first off, then
lurking online to annoy others (8)
12/10 Endpoint traffic filter has intimate
shoot screen (8,8)
14 Computer firm in the trash can –
malware may try to steal yours
or mine (7)
16 Slackware, Edubuntu and Gentoo
provide initial braces for low-tech
snow vehicle (6)
18 Disassembly expert type examines
code, then starts to spot malware (6)
19 External drive connection is at sea,
all at sea (5)
22 Fellow to look for node-linking
architecture, shortened (1-2-1)
Across:
7 Domain 8 Aurora 9 DDoS
11 Spammer 13 Media 15 Prism
17 Windigo 20 Forensic 21 Typo
23 Target 24 IRCbot
How to survive if you’re stuck on XP
Across
7 Perform before most important
section of network or Web (6)
8 APT targeting Google, Yahoo et al is
hiding back in Qatar or UAE (6)
9 Stutterer’s precursor to Windows
that leads to combined bandwidth
flooding (4)
10 See 12 down
11 Spare 2k confused mass-mail
sender (7)
13 Various ways to be social online, but
all I hear is, “Myself? Precious” (5)
15 Non-public posting gets around, first
read in secret, then snooping project
revealed by NSA leak (5)
17 Hippies enjoy having drunkard
around in Linux server-targeting
operation (7)
20Not from round here, and not feeling
well? Sounds like this sort of analysis
might get to the bottom of things (8)
21 Turbo Python hides reversing
keyboard error (4)
23 Retailer leaking masses of data, as
shown by that rogue UTM, oddly (6)
24 Heading back to parts of western
Canada, eastern US? Use chat
channels to keep in touch, like this
type of threat (6)
Down:
1 Void 2 Ransom 3 Unified 4 Macro 5 Browse
6 Trolling 12/10 Personal firewall 14 Bitcoin
16 Sledge 18 Detect 19 ESATA 22 P-to-p.
ESET
crossword
welivesecurity.com 7
CYBERCRIME IS BAD FOR YOUR HEALTH
By Brad Tritle, global product owner for Vitaphone
Health Solutions and co-founder of eHealth Nexus
more than HIPAA required from a
privacy perspective. Since that time,
however, security requirements (e.g,
HITECH) and associated threats have
increased. Meaningful Use (MU) has
both required performance of HIPAA
security audits for those wanting their
MU payments, and created a marketplace
where other organizations, such as
HIPAA Business Associates, can more
readily perform such audits. The result:
stronger security guidelines are being
put in place across the industry, and
employees will be required to not just
sit through a 30-minute video, but to
be thoroughly trained and tested on
specific employee requirements that
will facilitate the organization’s
HIPAA compliance.
Shutterstock © Syda Productions
For 2015, there are three areas of
health IT security (and privacy)
that I believe will be taken much
more seriously than in the past:
HIPAA training (an American law
that helps to guarantee security
of health data for patients),
role-based access and security
of mobile device applications.
Anyone who has worked at either
a HIPAA-covered entity or business
associate has undergone some form
8 welivesecurity.com
of HIPAA training, and then signed an
agreement indicating that they have
been trained and will comply with
HIPAA, with intentional noncompliance serving as cause for
release from employment.
When I served on The Office of the
National Coordinator’s Health
Information Security and Privacy
Collaborative (HISPC) several years
ago, we found that most healthcare
providers erred on the side of doing
Role-based access, or the ability for a
healthcare professional to have only
access to the protected health
information for which he is authorized
(e.g., a treating physician looking at the
record of the patient under their care),
is going to become more granular.
Many in-patient, ambulatory and payer
systems have facilitated a single user
having practical access to any patient
record on that system, regardless of
whether there was a reason for that
One of the biggest trends in
healthcare is the increased use of
mobile devices, both for providers and
patients. There are tens of thousands of
health apps available to patients, and
the number is increasing. In parallel,
health care providers, such as hospitals,
are sending patients home with mobile
devices for remote patient monitoring,
in order to reduce the need to re-admit
them to hospital. Though theoretically
the patient could download an app,
what we are seeing is the provider’s
provision to the patient of a separate,
locked-down, mobile phone that serves
a single purpose, for example, a mobile
gateway for a blood pressure monitor.
This prevents potential misuse of the
phone (stories of patients calling their
family in a foreign country on a
provider’s phone do exist), but also
ensures the security of the data – either
in the hands of the patient, or should
the patient misplace the phone. This
additionally aids the patient by
ensuring that data transmission costs
are not billed to her personal account.
Will this change in the future?
Undoubtedly, and it is also an
opportunity for companies
to develop new mobile health
security solutions.
One of the biggest trends in
healthcare is the increased
use of mobile devices, both
for providers and patients
Shutterstock © Syda Productions
The growing threat
to the security of
our health data
user to access that record. It is only if
and when unauthorized access is
discovered (which is becoming more
frequent), post-event, that discipline
can occur. This same issue can occur
with query-based Health Information
Exchange. Moving forward, there will
be increased use of consent engines to
ensure a system not only complies with
unique geographical privacy and
security regulations, but also that only
those with a true need to access a
record can do so.
welivesecurity.com 9
CYBERCRIME IS BAD FOR YOUR HEALTH
Healthcare:
new cyber risks
From doctors using smartphones at work to connected
devices with password vulnerabilities, there are
numerous cyber risks facing the health industry
Should we be ‘appy’ when doctors
bring their own?
Most hospitals now permit clinicians
to BYOD – bring your own device –
to the workplace. PwC’s Top Health
Industry Issues 2013 report said that
85% of hospitals allow this. Just last
August, the United States Computer
Emergency Readiness Team released
a statement saying it was aware
of a breach of ‘sensitive patient
identification information’ affecting
some 4.5 million patients.
Heart defibrillators ‘face cyber attack’
In 2013, the risks of “connected”
healthcare devices were shown off
starkly in America: 300 gadgets –
including heart defibrillators and patient
monitors – had dangerous password
vulnerability that could have been
exploited by cyber attackers, according
to the Food & Drug Administration (FDA).
“The vulnerability could be exploited to
potentially change critical settings and/
or modify device firmware,” it warned.
Cyber war ‘inside the human body’
Europol’s European Cybercrime
Center and the International Cyber
Security Protection Alliance claim that
medical implants could be targeted
by cybercriminals – and that even
augmented-reality devices used by
patients could be vulnerable, with
attacks built to create hallucinations.
Medical data – is it secure enough?
The Identity Theft Resources Center
claims that the medical industry
accounted for 43% of all data breaches
in 2014. ESET senior researcher Stephen
Cobb says, “Healthcare has seen rapid
growth in the use of digital systems.
But despite a regimen of rules aimed at
safeguarding the privacy and security
of patient data, in the US the sector is
currently rife with security breaches.”
Medical phishing: a new frontier
Cybercriminals have become smarter
at impersonating banks, but new
phishing campaigns use cancer scares
to target victims. Emails purporting
to be blood-test results go on to
infect computers when opened. In
one campaign in Britain, the National
Institute for Health and Care Excellence
(NICE) said, “ We’re aware a spam email
is being sent regarding cancer-test
results. This email is not from NICE.
If you have received the email, do not
open the attachments.”
Leaks can damage your health
Security issues that lead to information
about medical conditions leaking can
cause serious financial and emotional
harm – and researchers have found
that even “secure” browsing may not be
private. They revealed a technique for
identifying individual Web pages visited
“securely,” with up to 89% accuracy,
exposing data such as health and
financial details and sexual orientation.
Images © Rex Features
10 welivesecurity.com
TIPS FOR
protecting your
medical data
By Lysa Myers, Security
Researcher, ESET
Do not share personal details
unless you absolutely have to
A lot of fraud happens because
people give their login or insurance
information to friends or family
members. If someone gets medicines
under your name, it will be listed for
you and may mean you get improper
medical care. Or you could end up
having to pay someone else’s bills.
Check your statements
Be sure to read thoroughly and
understand the charges that come
in your statements from doctors’ offices
and insurance companies. If you do not
understand what you see, or if you see
something listed that you do not recall
having been done or given to you, call
back and get an explanation.
Check your apps and health data
If you use an app to track health data,
it’s a good idea to see how well it
safeguards your information. Reviews
online and at the app store where you
bought it are a good place to start.
Check the permissions for the app to
see what other information it may be
accessing. You can encrypt data on your
mobile device for extra protection.
Advocate for security and privacy
If you feel comfortable discussing
security measures and privacy controls,
ask your health providers what
measures they have in place to protect
your data. You might be surprised at
the answer – and not always for the
worse. Many healthcare practitioners
I’ve spoken with have well thought-out
security in their environments.
REGARDING SECURITY AND PRIVACY
OF ELECTRONIC PATIENT DATA
40%
are concerned
about the security
and privacy of their
electronic patient
health records.
43%
are not concerned
about the security
and privacy of their
electronic patient
health records.
17%
say this is not
applicable to them;
their health records are
not in electronic format.
REGARDING DIGITIZING ALL
PATIENT HEALTH RECORDS
59%
would support
the move toward
digitizing all patient
health records in
the US.
41%
would not support
the digitizing of
all patient health
records in the US.
HEALTH PRIVACY: ARE WE WORRIED YET?
40%
Two-in-five (40%)
Americans familiar with
the NSA revelations are
concerned about the
security and privacy of
their electronic patient
health records.
43% of Americans familiar with the NSA
revelations are not concerned about the security
and privacy of their electronic patient records.
Those aged 35+ (46%) are more likely than those
aged 18-34 (36%) to not be concerned about this.
And those with a household income of $75k or
higher (48%) are more likely to say this.
17% of Americans familiar with the NSA
revelations say that to their knowledge, their
health records are not in electronic format.
Interestingly, those aged 18-34 (27%) are twice as
likely than those aged 35+ (13%) to believe their
health records are not in electronic format.
Source and survey methodology: The survey was conducted online within the United States by Harris Poll on
behalf of ESET from February 4-6, 2014 among 2,034 U.S. adults aged 18 and older, among which 1,691 are at least
somewhat familiar with the NSA revelations.
welivesecurity.com 11
INTERVIEW
WWW.ESET.COM
How my firm fell
victim to cybercrime
Windigo victim speaks out on the ‘stealth’
malware that attacked his global company
Operation Windigo was one of
the biggest criminal operations of
2014. The counterattack is being
led by ESET employees – who
created an award-winning white
paper on Windigo – with help from
law enforcement and scientists
from around the world, including
Europe’s CERN, the organization
behind the Large Hadron Collider.
The paper highlighted a dangerous
threat, where criminals target UNIX
servers to redirect victims – and
take over thousands of servers and
sites worldwide.
The gang used these servers to send
spam, redirect Web traffic to malicious
content and steal more server
credentials to widen their operation.
At its height, Windigo sent 35 million
spam emails a day and redirected
500,000 Web users to dangerous
sites. Detailed analysis of the attack –
and ESET’s action against it – can be
found on ESET’s news and opinion hub
welivesecurity.com.
ESET researchers have helped many
companies identify and neutralize
the infection. Francois*, owner of
a business whose servers in France
and Canada fell victim for weeks,
explains how even a large Internet
firm can fall prey to an attack –
yet not notice.
12 welivesecurity.com
Were you aware that this sort of
attack was possible?
“To begin with, we didn’t realize
what it was. But this did not feel like
something really offensive. It was
running in the background pretty
silently – no crashes or anything.
I think that’s why it has infected so
many servers before people reacted.”
Did the nature of the attack
surprise you at all?
“One of the first things you learn in
any form of high-tech business is that
anything is possible. But we knew from
the start that Windigo was something
different. It was subtle. No one stole
our database – the first we heard
was when suspicious behavior was
mentioned by some of our customers.”
How did you react? Did you fear
your business was under threat?
“We rapidly went from not worrying
to the worst worry of all – that it was
an advanced threat, targeted at us.
We have a lot of servers, and many
customers in France and Canada. We
quickly realized that plenty of people
were talking about those strange
behaviors on many forums.”
Did you work closely with
researchers on this?
“We were quickly contacted by ESET
and were told about how big this
infection was and started to work very
ESET SECURE
AUTHENTICATION
closely with their research team. We
cleaned infected servers but kept some
intact for ESET’s investigation. MarcEtienne M.Léveillé of ESET offered some
really good advice – clean the server
and reinstall. It’s a harsh cure, but we
did it. Thanks to the quick action of
ESET, our company’s reputation was
not damaged – we listened to our
customers and acted. We did not
suffer severe financial loss, either.”
What are your feelings towards the
gang who created this attack – and
the companies still suffering form
its harsh effects?
“This attack is big. Many Web hosting
companies were infected and didn’t
even know what it was. We were
lucky in the end. We worked closely
with ESET, who helped put it right,
and I hope we helped in turn with the
Windigo project.”
What is the status of your
company now that you have
survived the attack?
“We are fully operational. If the
government took these kind of
attacks more seriously and invested
more money to help companies such as
ESET, it may prevent more damage.”
*At his request, We Live Security used
a pseudonym for our interviewee.
Do More when you have
secure access to your data
• Ultra-strong ID validation for use with mobile, tablet or your existing hardware tokens
• A powerful, simple solution
• Two-factor authentication, using one-time passwords
Why privacy is
on everyone’s
mind in 2015
By Stephen Cobb, Senior Security Researcher, ESET
Last year’s ESET Threat Report demonstrated that online
privacy had become something the world was worried
about in the wake of Edward Snowden’s revelations.
I predicted an unprecedented level of interest in encryption
products due to continuing revelations about statesponsored surveillance of companies and consumers.
Privacy has become a luxury - for example, biometrics are
built into the most expensive smartphones and PCs.
I predict a small but not insignificant percentage of current
Internet users in developed countries will scale back their
online activities in light of continuing revelations about statesponsored surveillance of companies and consumers.
For businesses, it’s not a luxury. It’s an essential. All employees need to
be made aware of the company’s privacy policies (assuming you have
these properly documented). Today’s smart companies are making sure
that every employee who deals with customers’ personally identifiable
information, even the folks in IT whom you might not think of as
“customer” people, are aware of just what a big deal it is to breach
the privacy promises that the company has made to its customers.
Any transgressions that come to the attention of management
should be addressed (this may not mean firing people – but if
you don’t enforce a policy it is legally useless in your defense).
I will close by quoting J. Howard Beales, III, Director of the
FTC’s Bureau of Consumer Protection:
Companies that obtain sensitive information
in exchange for a promise to keep it
confidential must take appropriate steps to
ensure the security of that information.
14 welivesecurity.com
In safe hands
Block prying eyes with ESET’s
security system for SharePoint
We Live Security assesses the options
Shutterstock © Maksim Kabakou
Privacy 101: Why changing
privacy settings is essential
Many users of sites such as Facebook don’t
change privacy settings at all, unaware
that the site’s powerful Graph Search
can leave their personal information
exposed. Here are three crooks who
must wish they had changed theirs…
Just stole these rings LOL
A jewel thief stopped off during a robbery
for a less-than-essential break - to check
Facebook (his own, real account) on
the victim’s laptop. Walking out with
two diamond rings worth $3,500, he
was swiftly arrested and jailed.
Just robbed a bank? Time for a selfie!
Sure, selfies are in vogue - but the Michigan
bank robber who posted a photo on his
Facebook page, with a submachine gun
of exactly the same model used in the
hold-up, may have regretted his. “Bought
my first house and chopper today.life’s
great.” he said. If that isn’t a reminder to
change your privacy settings, what is?
‘Catch me if you can’
A criminal who taunted police with a
Facebook message saying ‘“Catch me
if you can” was caught 12 hours later.
The 19-year-old, on the run from prison,
was caught after police appealed on
Facebook for information, and he posted
his taunt on the page. The information
it revealed was enough to catch him
- and earn him 10 months in prison.
“Caught you,” the police posted.
Shutterstock © EDHAR
SharePoint is seen as a must-have for many
organizations around the world. This collaboration
software from Microsoft provides a place to store,
organize, share, and access information from virtually
any device. The only requirement is a Web browser.
While Microsoft SharePoint Server 2013 brought
many improvements, it still requires an additional
security layer to safeguard sensitive company
data, as well as assets stored in databases.
ESET Security for Microsoft SharePoint Server provides
real-time protection for SharePoint servers and databases.
Over and above protection against cyber threats – including
those aimed at file system entry, drive-by downloads, system
exploits and vulnerabilities – ESET’s server technology includes
password protection to stop both malware and unauthorized
administrators from disabling it. ESET scans everything in the
database, and protects the server as well as its content.
Business benefits
l Eliminates all types of threats including
viruses, rootkits, worms and spyware.
l Allows administrators to fine-tune
protection by applying set-up rules based
on file name, size and real file type.
l Proven protection with a small
footprint leaves more system resources
for the server’s vital tasks.
l Automatically excludes critical server files.
l Performs in-depth system analysis to
identify potential security risks.
l Allows for remote management
of Sharepoint servers using ESET
Remote Administrator
While most server-based security software products have a
noticeable impact on system resources, ESET’s security offerings
are recognized by industry testers and analysts around the
world as having a very small footprint with minimal impact.
ESET Security for Microsoft SharePoint Server is no
exception, operating efficiently without noticeable impact
on server performance. It excludes critical server files
automatically, so applications like Microsoft SQL Server and
Microsoft IIS are recognized and omitted from the scans.
Another feature to speed up scanning time is its rule-based
filtering, which lets administrators fine-tune protection
by specifying file name, size and real file types.
ESET Security for Microsoft SharePoint Server also detects server
roles. By excluding critical server files like data stores and paging files
from on-access scanning, ESET Security for Microsoft SharePoint
Server has a much lower system impact than the competition.
Shutterstock © Modella
welivesecurity.com 15
TECH INSIGHT
The secret to
a harmonious
relationship with
your system
administrator
By Carole Theriault, Director, Tick Tock Social
Being a great IT administrator (or sysadmin)
can seem impossible these days. This
is a real shame, because having a good
sysadmin can make a huge difference to the
bottom line: when optimized systems run
smoothly, work gets done more efficiently,
saving time and money.
So why this massive disconnect between the IT
team and the rest of the business?
This situation can cripple a business in today’s
fast-paced, competitive market. The solution
is a question of shifting perspective just a
little, along with a touch of empathy and
communication.
First, we need to get into the heads of
sysadmins, and understand their relationship
with the people they consider their customers
(the rest of the organization).
Why life is now tougher
A sysadmin is hired by a company to make sure
that all computers, devices and servers, as well
as all the software installed, work reliably.
Twenty years ago, when most people relied
on desktop systems running Windows and
MS Office, life was much simpler. Laptops
were around, but they weren’t ubiquitous in
the office. Mobile phones had also not made
16 welivesecurity.com
it into the mainstream yet. This type of setup
required the administrator to manage a
closed, homogeneous network: an infinitely
more manageable space compared to what
sysadmins face in 2015.
Today’s remit still includes the dreaded
jam-prone printer, but adds a smattering of
laptops, highly dependent on wireless and
remote connectivity; and a host of tablets and
smartphones with their flurry of apps, settings
and connectivity issues. Oh, and let’s not forget
the always-available servers that manage and
secure the corporate Websites, email delivery
and hold a veritable avalanche of data, from
sensitive customer information and business
strategies to spreadsheets and presentations.
The frustration of the ‘customers’
Now let’s flip sides and look at the expectations
of the rest of the staff. These people want the
latest, fastest computers and devices. They
want everything to run as expected, without
hitch or glitch, and without appreciation for
the vast complexity of what is metaphorically
under the hood.
The customers are the people responsible for
making products, paying employees, marketing
to prospects, not to mention selling services
and goods to customers. These are the people
FOR IT ADMINISTRATORS:
Adopt the 80/20 rule. Sadly, many sysadmins cannot do it all.
Keep the masses and influencers (your boss, the CEO, and the
worker bees) as happy as possible. Prioritize work by thinking in
terms of the health of the business, not the person who shouts
loudest or annoys you most. And keep a list of your actions, so if
anyone complains, you can prove you made the right decisions.
Keep control. You are your company’s IT guru. Ooze quiet calm,
knowledge and confidence in the same way you would want your
doctor or dentist to.
Lose the attitude. Yes, you absolutely have a seriously tough job,
but so do others . Earn respect whenever possible, but don’t force
people to understand your challenges and frustrations.
Shutterstock © dotshock
who can keep the business alive and kicking.
They need IT to sort out problems as quickly as
possible, so they can get on with their jobs.
The vast majority of sysadmin customers don’t
possess in-depth knowledge of the systems they
use. It is similar to owning a car. You want it just
to work, and when it doesn’t, you want to take it
to the garage and get it fixed.
Explaining the disconnect
The daily grind of maintaining systems for
people that are not inclined to understand how
they work or what breaks them, sprinkled with
zillions of urgent requests to fix connectivity,
access, privacy, printer, application, server
and device issues, would be enough to make
anyone a little grumpy.
From a user perspective, sysadmins are the
people who are never at their desks when
you call upon them, who look at you placidly
and give you a ticket number even when you
label a request as urgent, and who ask lots
of questions you cannot answer, like “what
version of OS and browser are you using?
Where did you save the file you want to
access? Do you have screenshots of that error
message?” In the column opposite, there are
a few tips to how both parties can improve
the relationship.
Don’t show off. Learn how to explain solutions in everyday
language. The more educated your customers are, the easier your
job will be in the long run. Who knows? They might even fix the
printer jam themselves!
Explain why the answer is no. Sysadmins are often accused
of being negative and dictatorial. Always try to provide a clear
explanation as to why you cannot provide a service.
FOR CUSTOMERS:
Show respect. A sysadmin’s job demands multitasking and extreme
focus, which is exhausting. Every time you show up with a query,
apologize for the interruption and request assistance politely.
Appreciate resource restrictions. Your IT team need to prioritize
where they put their time, and in order to get your problem sorted,
you need to simplify the task for them and explain clearly what
impact the issue is having on business continuity.
Be prepared. Sysadmins are not wizards. Like doctors, they need
to diagnose the problem. Help them with this. Always bring your
computer ID information, operating system version, any application
version numbers that are causing difficulty, screenshots of a problem,
and details of what you tried and how you performed the actions.
Time your approach. Monday mornings are often hellish for
system administrators. They need to resolve all the issues that their
customers had over the weekend. If your problem is not extremely
urgent, save it for another day.
Don’t bypass protocol. Of course you might have identified a faster
route to get your problem fixed (via a manager, for instance) but
this can disrupt the entire ecosystem. Save that route for extreme
emergencies, and help IT create a system that works.
welivesecurity.com 17
Lockdown
ESET’s encryption solutions
ensure your data is secure
By Graham Cluley, We Live Security
Shutterstock © andrey_l
What’s the problem?
A company without data is unimaginable. Data is the lifeblood
of your business – it needs to flow safely between different parts
of your organisation and between team members collaborating on a
project. You cannot afford to lose any of it.
And there are many ways for data to be shared: via email, shared
folders, USB sticks, cloud-storage services, laptops and CD ROMs…
the list goes on.
The danger is that the movement of data poses a big risk for
enterprise. As it travels between users and outside the company,
it could either be leaked accidentally to unauthorized parties or
intercepted and stolen by malicious hackers.
Furthermore, sensitive information and databases stored on your
corporate servers – if not protected properly – might be a tempting
target for cybercriminals and online thieves.
Barely a day goes by without an organisation becoming the
unwelcome recipient of newspaper headlines announcing that
customer data (such as credit card details, passwords or personal
information) has been stolen.
It has become clear that the danger is not just one of losing data
related to your customers but of losing their trust to such an
extent they no longer want to do business with you.
Business benefits
l Full disk and removable media encryption
protects data stored or sent using laptop
computers.
l File, folder and email encryption enables
fully secure collaboration across complex
work groups and team boundaries.
l Security policy enforcement deployable at
all endpoints.
l A single MSI package meets data security
compliance obligations.
l Uniquely patented security key
management allows full control of
encryption keys and encryption security
policy remotely and silently.
l Patented hybrid cloud architecture means
that all client and server connections are SSL
encrypted, and all commands and data are
AES or RSA encrypted.
l Quick install and low system requirements
bring enterprise-grade security to even the
smallest organisations.
What’s the solution?
ESET provides encryption solutions which enable organizations
to secure data.
Centralized policy management makes it easy to manage users and
workstations and extend the protection of your company beyond the
perimeter of your network. Encryption security can be painlessly rolled
out, and even extended to mobile phones and home users.
Even if encrypted data falls into the wrong hands or is contained
on a device accidentally lost by an employee, your business can feel
confident that the sensitive information will not be exposed.
welivesecurity.com 19
OPINION
IT security shouldn’t just
be something on your hard
drive – it should be part of
a global immune system
When I first started working for
an IT security company in 1992,
you’d get your software updates
on floppy disks. They were sent
out every three months. If you
were really paranoid, you went
for the monthly updates. Viruses
took months to spread around the
world – via floppy disk. There were
200 new viruses a month – and
we thought that was pretty bad.
Now, of course, we see 100,000
new variants of malware a day. As
soon as money became involved,
it became industrialized – and I
have to say, some of the fun went
out of being a virus researcher.
Back in the old days viruses weren’t
made to make money – they were just
graffiti. They could cost you money
– but the point would be the letters
falling down your screen, or a graphic
of an ambulance driving across. There
was an artistry there – something
I blogged about a while ago.
Many viruses were also unique – even
if they were destructive. I remember a
polymorphic infection from the early
days – where the writer was so keen to
make a British piece of malware. The
SMEG Pathogen virus, named after a
crude word used in the British TV comedy
20 welivesecurity.com
IT security
software isn’t a
program in your
hard drive – it’s a
communication
system. Done
right, it works
like an immune
system, but a
global one.
show Red Dwarf, was written by this
English chap Christopher Pile. It stood
for Simulated Metamorphic Encryption
Generation. When it wiped your hard
drive, it said, “Smoke me a kipper, I’ll be
back for breakfast… but your data won’t.”
The media had been guilty of
presenting malware as largely Eastern
European in origin, and Pile wanted
to prove them wrong. With the
commercialization of malware, that’s all
gone. They don’t care about the quality
– just the money. I saw it first with
attacks targeting AOL users. They were
stealthy – just stole password details
and credit cards.
There wasn’t any attempt to be clever.
There were enough people
who didn’t update Windows that
it would spread anyway. Now, it’s
more than that. It’s “let’s write computer
programs to write more malware for us”.
Spotted by computer
But now, most of what we see is
not entirely new and unique, it’s
based on malware we’ve seen before.
Each new variant has been written
by a computer – and is usually spotted
by a computer.
Even if you have 100 researchers,
you can’t keep up with the volume
of detections. Expert systems do the
detection – customers want protection
very, very quickly, and humans can’t
provide that level of speed and
accuracy. Expert systems can.
An expert system can, for instance,
look inside a piece of code, and make a
guess about whether it’s a banking Trojan
very quickly. They’ll scan for banking
URLs – or related ones. They’ll look for
other markers – is there any Portuguese?
A lot of today’s banking Trojans come
from Brazil – and the code’s compiled
with Delphi. So the system will look
for a Delphi copyright message – but
of course, the cybercriminal knows it
will, so he’ll write that it was done in
Microsoft C. A clever expert system will
look at that and know that here we have
a piece of code that’s in Portuguese, is
pretending to have been compiled in C –
hiding its origin – and has banking URLs
in it. Even if you’ve never seen it before,
you’ve already got a good idea it’s bad.
That’s a very simplified take, of course,
but this proactive defense is the future.
Not in labs, but in home PCs. You have
to look at the behavior of malware in
real time, and when you think, “This
is suspicious”, either turn it off, alert
the user, or report back to base. Your
PC has to be part of a bigger system.
IT security software isn’t a program
on your hard drive – it’s actually a
communication system. Done right,
it works like an immune system,
but a global one. Sending information
isn’t always something we like to
do. Those windows asking you to share
information are needed more than ever.
“We’re all on the Internet, which
means we’re all part of the same
family. It’s up to all of us to defend it.”
LANDMARKS IN MALWARE
1990
Floppy disk
Red Dwarf
Chernobyl
Cryptolocker
Windigo
2014
welivesecurity.com 21
Red Dwarf © www.reddwarf.co.uk
OPINION: GRAHAM CLULEY
POWER UP YOUR
PASSWORDS
We Live Security’s experts explain how we work
to keep you and your business safe
of businesses in the USA
suffered from some form
of hacking in the last 12
months
WHAT’S THE PROBLEM?
More and more organizations are
becoming aware of the risks posed
by sloppy password security.
Most network intrusions (76%) are
attributed to hackers exploiting weak
or stolen login credentials such as
passwords - so it is clearly a problem
any business should deal with. Failure
to do so means workers might create
their own passwords which are either
not random enough or easily guessable,
opening opportunities for hackers to
exploit their accounts.
In addition, many computer users
make the mistake of using the same
password in multiple places, such
as using a password from inside the
corporation for a private account.
In that scenario, if a user’s password
is compromised elsewhere, it could
lead to a breach of your own company’s
systems.
And, of course, if just one employee has
their password phished or hacked, online
criminals could gain direct access to your
corporate network or company secrets.
Computer users cannot be relied
upon to always create strong, hardto-crack passwords, or to protect
them effectively from falling into
the hands of cybercriminals.
Fortunately, technology can help
with the problem.
Secure authentication can make
remote access to a company’s network
safe and hassle-free.
22 welivesecurity.com
ESET Secure Authentication introduces
a two-factor, one-time password into
your users’ login process, meaning that
if their regular password is guessed,
cracked or stolen, hackers will not be
able to gain access to your most sensitive
information.
It works like this. Employees, upon
remotely accessing the company
network, receive a one-time password
on their mobile phones, either via an app
or, if the app is not installed, via SMS.
After its initial set-up, the app does not
require Internet access.
This password is then used to
strengthen the usual authentication
process. And because the one-time
password is unique, and is delivered to
the employee’s mobile phone, hackers
cannot ‘steal’ it. As a result, the company
data and assets are protected against
intruders, dictionary attacks, password
guessing and the other methods hackers
use to gain access to business networks.
Out of the box, ESET Secure
Authentication provides native
support for a variety of Microsoft
Web Applications and Remote Access
systems. However, if you wish to
integrate it with custom systems that’s
perfectly possible too.
The ESET Secure Authentication
Software Development Kit has a
range of extensibility options, allowing
you to add two-factor authentication
to nearly any system that requires
authentication.
ESET SECURE AUTHENTICATION
SOLVES THESE PROBLEMS:
Static passwords that can be
intercepted
User-created passwords that
can be easily guessed
Re-use of private passwords
for company accounts
$224
$153
Passwords containing user-specific
data – e.g. a name, a date of birth
Simple patterns to derive new
passwords, such as “peter1”,
“peter2”, etc.
BUSINESS BENEFITS
Helps prevent the risk of
breaches with unique
passwords for each access
Protects from poor
password practices
Saves costs - no additional
hardware needed
Easy to migrate to and use
Two-factor authentication
provides peace of mind
Multi-platform support, including
leading mobile operating systems
Global technical support in
local languages
welivesecurity.com 23
ESET ENDPOINT
SECURITY FOR ANDROID
Powerful, flexible protection for Android with antivirus, anti-phishing,
anti-theft and much more in one simple package…
Mobile security has and always will be a
pressing issue for companies everywhere.
Businesses striving for success rely on an
operating system to function seamlessly
from a security standpoint.
ESET Endpoint Security for Android is the solution
for all your data security needs. With Android’s
increasing popularity, there has never been a
stronger emphasis on mobile security. With
improved usability and effortless navigation,
ESET Endpoint Security for Android is yet another
example of ESET’s drive to become a primary
contender in the market for business security
solutions for Android-based devices.
ESET Endpoint Security for Android gives
administrators complete control over installed
applications, allowing blocking based on a
manually defined list, or based on categories
or source of the application.
In addition to fine-tuned application control,
ESET Endpoint Security for Android allows
admins to set minimum security levels across
multiple devices – with variables such as
minimum password length or number of
upper-/lower-case letters required –
for fine-tuned security across all devices.
Peace of mind has never been simpler.
24 welivesecurity.com
KEY BENEFITS:
ESET has always been in the business of protecting
organisations from threats that prevent them reaching
their potential. With ESET Endpoint Security for
Android, you can be confident you’re protected and
focus on the important parts of running a business.
Improved detection
Stronger security and better detection. Delivers real
time on-access scanner with improved scanning
speed, integrated ESET Live Grid, scheduled scanning,
enhanced virus database updates and anti-phishing.
New and improved features
Antivirus, SMS and call filter, anti-theft,
application control, essential device management
settings, remote and local administration, and
import/export of settings, anti-phishing.
Ease of use
Improved user experience. Easier to navigate and use.
ESET Remote Administrator management console
and ESET Endpoint Antivirus/ESET Endpoint Security
client software deliver a recognizable look and feel.
New licensing system
Will fully support the new licensing model introduced
with ESET Remote Administrator. New licensing
framework integration simplifies the deployment and
long-term usage of ESET security software. Customers
are able to swap license information for a simple to
remember email address with a custom password.
welivesecurity.com 25
FROZEN
WITH FEAR
Should you be scared of your fridge?
Data Encryption
Shutterstock © Opka
By Rob Waugh, We Live Security contributor
A new, terrifying weapon is in the
hands of hackers - the ability to
stop a toilet flush from working.
We look at 2015’s silliest
prophecies of gadget doom.
The ‘Internet of Things’ - connected
devices such as lamps, fridges, cars or
industrial equipment - has been the
subject of much debate, and several
rather over-the-top predictions from
tech pundits. Will we all REALLY be
killed by our fridges? We compile some
of the deadliest, most murderous
death machines ever to (theoretically)
emerge from the Internet of Things.
Veteran security researcher
and writer Graham Cluley feels
unthreatened - and uninterested by these connected devices. He is
unconvinced that Hollywood will
turn its hand to horror films based on
murderous white goods - ‘Heartbreak
Fridge’ perhaps.
“Yes, of course there are threats
associated with more devices
connecting to the Internet,” says Cluley.
“Especially when they are built by
companies who may not be well versed
in computer security.
“Although none of us should be
complacent about the potential risks,
there is perhaps more hype than havoc
at the moment.
“I, for one, am not drooling at the
thought of having an Internet fridge.
Not because of the potential security
26 welivesecurity.com
risks, but simply because I can’t
imagine how having an Internetenabled fridge would make my life in
any way happier or more convenient.”
The connected window blinds
did it - a new way to kill?
Like many companies in the
technology world, Rod Rassmussen
peered into his crystal ball last year
to predict likely events for 2014 Rasmussen is the highly respected
President and CTO of IID (Internet
Identity). Rassmussen headed straight
out for the territory where the buses
don’t run - and predicted a murder
using an Internet-connected device.
“Killings can be carried out with a
significantly lower chance of getting
caught, much less convicted, and if
human history shows us anything, if
you can find a new way to kill, it will
be eventually be used.” Being slammed
in a toilet lid can sting - but is it really
deadly? And will it finally happen in 2015?
Flushed to death?
At the Black Hat conference in Las
Vegas, various terrifying hacks - such
as the ability to peer through home
security cameras - have been shown
off, but it was the demonstration of
an e-toilet hack which ran off with the
headlines. Terrified victims of the hack
against Satis toilets could be assaulted
with a remote-controlled flush - or
even a blast from the bidet. Hackers
can also use the app to control the
air-drying functions at will, “causing
discomfort” Ars Technica warned with
tongue firmly in cheek.
Knock, knock, hue’s there?
Terrifying headlines greeted the news
that it was possible to remote-control
the Philips Hue lighting system due
to flaws in its online ‘control panel’.
What these reports failed to mention,
of course, is that Hue is more akin to a
lava lamp than a home lighting system,
with colors that flicker to match films
on TV, or just to create a nice warm
glow. Gizmodo warned that they are
“highly hackable”. Surely it’s easier
simply to run outside and jingle their
wind chimes to ruin the ‘vibe’?
White goods - black heart?
The scene in Ghostbusters where
Sigourney Weaver opens her fridge
to reveal a portal into a demonic
underworld came true this year.
Well, nearly. Reports of a fridge
sending huge volumes of spam swept
the Web’s more credulous regions with some reports claiming that other
businesses had been targeted by the
rogue chiller cabinet - until someone
pointed out a nearby Windows PC was
the culprit. The fridge has since been
cleared of all charges.
Do More with your
company data encrypted
•
•
•
Simple and powerful encryption for organizations of all sizes
Safely encrypt hard drives, removable media, files and email
Hybrid-cloud based management server
welivesecurity.com 27
Shutterstock © Tetiana Yurchenko
WHEN WHITE
GOODS GO BAD
Is the ‘Internet of Things’ really as big a
threat as some doomsayers predict?
By David Harley, Senior Reseach Fellow, ESET
Shutterstock © VGstockstudio
28 welivesecurity.com
THE PREDICTIONS
1) Someone will be killed by a
connected device this year
“Killings can be carried out with a significantly
lower chance of getting caught, much less
convicted, and if human history shows us
anything, if you can find a new way to kill,
it will be eventually be used.” IID President
Rod Rasmussen
2) Worldwide threats will increase
“We’re connecting more of our world every
day through smart, IP-enabled devices. It is,
unfortunately, too easy to imagine how these
world-changing developments could go terribly
wrong when attacked or corrupted by bad
actors.” Cisco Senior VP Security Chris Young
3) Your family could burn to death or face higher electricity bills
“The vulnerabilities found within the Belkin
WeMo devices expose users to several
potentially costly threats, from home fires
with possible tragic consequences down to the
simple waste of electricity,” wrote device security
specialists IOActive.
4) Hackers could start a disco in your home
On revealing a security flaw in Philips multicolored Hue lighting system, researcher Nitesh
Dhanjani said, “In this age of malware and
powerful botnets, it is vital that people’s homes
be secure from vulnerabilities like these that can
cause physical consequences.”
5) Cybercriminals could steal your steaks
At CES this year, the BBC warned that Smart
Fridges may pose a risk. “In the future, it might
not just be your smartphone that leaks personal
and private data, it might be your smart fridge
too,” the broadcaster warned. Steaks may tempt
burglars to enter your home in search of dinner.
Making business
more of a pleasure
ESET Endpoint Security and ESET Endpoint Antivirus: effective,
light footprint security for your small to medium sized business
Businesses, no matter what their size, need I.T. security they
can trust. Security systems that are easy to use, intuitive
and do the job quietly and efficiently, while requiring as
little attention as possible. With ESET Endpoint Security and
ESET Endpoint Antivirus, ESET has met these goals, making
it the ideal solution for small to medium sized businesses.
Widely regarded in the business and technology community
as one of the best systems against cyberthreats around,
ESET Endpoint Security calmly and efficiently eliminates
current known threats, but also keeps an eye on the
future. With new viruses and malware being created every
day, ESET Endpoint Security doesn’t simply wait for new
definitions to be downloaded – it proactively looks out for
suspicious activity, and lets the user know when it spots
something that’s likely to be currently undefined malware.
Offering improved detection, anti-phishing, an advanced
memory cleaner, an exploit blocker, and a firewall, among
other methods of protection, the software protects
on a variety of levels, against myriad threats, while
maintaining a small local footprint. For the first time,
ESET offers dedicated botnet protection, which helps to
uncover undiscovered malware by analyzing network
communication patterns and protocols, along with the
usual expected quality virus and malware detection, and
protection from suspicious URL and file-types.
For the administrator, it’s easy to set up and maintain,
ensuring that the entire network is protected by ESET’s
advanced I.T. security, while less tech-savvy employees will
find the protection subtle and non-invasive, allowing them
to work without unnecessary distractions.
To find out more about ESET’s security solutions
for organizations of all sizes, visit:
www.eset.com/int/business/solutions
Shutterstock © ene
Targeting devices that aren’t PCs and
therefore probably don’t have an explicit
malware detection mechanism would
reduce the likelihood of early detection
of device-specific malware. Payloads that
would take advantage of device-specific
functionality would require significant
research and development, but who, a few
years ago, would have given much thought
to the likelihood of malware targeting
uranium enrichment centrifuges?
However, the fact that eavesdropping,
sabotage and other attacks are or may be
possible in surprising contexts doesn’t mean
that they’re likely. The Internet may have elements
of the Wild West (and always did), but it hasn’t
turned into a gigantic stage set from 1984, even
if a laptop or television screen can sometimes
behave like Big Brother’s telescreens. (That’s
the 1984 Big Brother, not the TV unreality
show.) Nor are we all now players in a universal
game of Cluedo (or Clue as it’s known in the
U.S.) where Professor Plum is likely to be
bumped off by wifi-controlled sabotage of his
pacemaker, Colonel Mustard and his library are
about to be set on fire by a subverted heating
system, or Miss Scarlett might die of a seizure
induced by flashing lights controlled by a tablet
app. There may be more possibilities for exotic
attacks in a world where even your toilet may
be online, and security company PR offices
are having lots of fun flagging such exotica,
but what is possible in cybercrime usually only
actually happens if someone sees a substantial
profit in developing an attack.
welivesecurity.com 29
STAY SECURE:
WHEREVER YOU ARE
ESET Remote Administrator keeps you on top of your corporate security,
whether you’re in the office or on the other side of the world
With the new ESET Remote Administrator, ESET seeks to address the real-life issues
facing security administrators in small companies. It abandons the old, endpointserver architecture in favor of a more modern, progressive server-agent approach.
ESET Remote Administrator comes shipped as a platform-independent product (now available
on Linux-based systems), allowing seamless integration with customers’ virtual infrastructure.
The new version of ESET Remote Administrator will be the central hub for all existing and
upcoming ESET business products, able to manage all ESET products centrally.
ESET Remote Administrator
In addition to this, the Web-based administration console offers the ability to connect
from almost any location or device, making administration effortless.
BENEFITS Ease of deployment
Migration wizard for existing ESET customers
and one-step installation for new users.
Multi-platform support
ESET Remote Administrator runs on both Windows and
Linux machines, cutting costs for cross-platform users.
New user experience
A reworked console makes Remote Administrator simple
to navigate and accessible from anywhere via your browser.
Performance
ESET Remote Administrator can handle even the largest
computing networks from a single centralized server.
New architecture
Tailored towards the needs of individual customers, from
basic setups to complex multi-user scenarios.
New licensing system
Simplified licensing with a new license key format and
automatic updates means you’re always protected.
30 welivesecurity.com
BEST FOR… Small to medium-sized businesses
With fewer resources to dedicate to infrastructure
security, small to medium-sized businesses will find the
combination of ease of use, value, and minimal impact
on systems of ESET Remote Administrator appealing.
Security conscious business consumers
ESET’s reputation in the field is second to none.
Those looking for a reliable, proven, customizable,
small footprint solution need look no further.
welivesecurity.com
welivesecurity.com 31
31
TECH INSIGHT
STRAIGHT TALKING
from the ESET experts
Fiction: Children are too open on
the Internet
Fact: It’s often the parents
By David Harley,
Senior Research Fellow, ESET
Shutterstock © auremar
Fiction: Advanced persistent threats
are the most dangerous malware
Fact: Many such attacks are
simplistic – B-grade malware,
if you will
By Olivier Bilodeau,
Malware Researcher, ESET
We analyzed four targeted attack
tools and the reasons why they
shouldn’t be called ‘advanced’.
Some features we observed:
● An attacker interacts with
an infected machine.
● Bad criminals: typos in
configuration, naive
cryptographic implementation,
32 welivesecurity.com
Many parents regularly post
photographs and potentially sensitive
information about their children to
social networking sites. But what are
the privacy implications when those
children become adults?
There are at least two related
problems with a digital footprint, as
compared to the non-virtual world:
(1) Physical photographs and other
documents are in some sense unique
objects. Put it on the Web/social media
and you lose control over it.
(2) The digital world may seem
weak code practices.
● Sophistication variability: from
no obfuscation to hidden position
independent code, XOR encryption,
XTEA encryption, stand-alone
re-usable components.
● The malicious software uses spearphishing campaigns – targeted
emails carry an executable
which displays the icon of a Word
document (the dropper). This
drops the main malicious binary
and then a Word document into
the user’s temporary folder.
As long as these less
sophisticated attacks are still
successful they’ll continue.
transient but digital data is actually
extraordinarily persistent.
Given these issues, it is worth
considering if it’s a parent’s ethical – or
even moral – responsibility to think
about the difference between the online
and offline contexts and act accordingly.
There are clearly lines to be drawn, of
course, between digital data which can
be damaging, and that which cannot.
My own daughter’s reaction to
the publishing of photos was this:
“Ultrasounds, baby photos, etc, I think
could be considered acceptable – at the
end of the day a child is a child.
“The photos do not have the same
long-term problems as, for instance,
employers getting to see embarrassing
teenage photos, posted by parents, or,
more likely, friends.”
Fiction: Antivirus software is dead
Fact: The way security software
detects malware has changed
By security expert Graham Cluley
Antivirus is dead! We’ve seen this
announced so many times we’ve
taken to carrying black ties. Actually,
anti-malware technology moved on
long ago, but customer and media
perception has lagged way behind.
Much malware – spear-phishing, APT – is
now highly targeted, meaning that no
I.T. security company will claim 100%
malware detection.But this just means
it’s changed.Current malware detection
comes in three main forms:
Proactive detection and blocking
The holy grail of security: proactive
blocking through reputational and
generic countermeasures.
Detection of known malware
A high proportion of threats continue to
be detected either specifically or using
more generic detections.
Remediation
These days, anti-malware and protection
is achieved through reputation and
behavior analysis, and with the aid of
advanced heuristics, while signatures
are primarily used for remediation where
proactive methods have failed. Don’t
be too optimistic about finding a single
solution. The best advice is to look for a
combined solution that you can afford.
Fiction: Antivirus failed to stop
the Target breach
Fact: It was detected daily –
staff failed to notice
By Lysa Myers, ESETResearcher
Fiction: BlackBerry is dead
Fact: If you worry about security,
BB10 is very much alive
By Cameron Camp,
Malware Researcher, ESET
Following the ground-up overhaul
of the BlackBerry operating system,
we wondered how it really stacks
up – security-wise – against other
smartphone operating systems?
An overhaul like this is not for the
faint at heart. The people at BlackBerry
re-envisioned the new BlackBerry 10
operating system from experience
gained from the older versions and
the acquisition of QNX, a real-time
microkernel based Unix-like construct.
Starting with a microkernel is a
nice way to isolate processes into tidy
containers that can become pseudosuspicious of each other, and therefore
form the foundation for a stack of
compartmentalized processes that
follow the same model.
And QNX is no slouch here – a longtested, real-time OS platform that has
performed well for longer than some of
BlackBerry’s engineers have probably
been alive. How well did they do
combining all this tech with a handset
design that appealed to the average
mobile user? The verdict is still out.
While there are a myriad of external
(and internal factors) that may control
the success of the BB, it’s good to know
a company like this had the foresight to
revamp the whole stack in a thoughtful,
security-focused way – and the guts to
go for it.
Let’s examine some of the myths
about the Target breach.
(1) The person who created the
malware perpetrated the breach.
Knowing who created the malware
doesn’t tell us who carried out the
attack – it is only one tool that the
attacker or attackers used.
(2) The code was not detected in
VirusTotal, so antivirus failed. The
idea that VirusTotal can be used as
an accurate test of whether up-todate antivirus software would detect
malware has been debunked.
(3) The attackers must be geniuses.
Malware authors are not geniuses – they
are simply resourceful about combining
information that’s widely available.
(4) There’s no way to stop such
attacks. The usual security advice
should have been followed. It wasn’t.
(5) Attackers only hit big
businesses. Attacking a big business
is certainly a huge payday – but lots
of little attacks can quickly match it.
High-profile breaches like this should
remind businesses that it’s worth the
expense to improve their security.
welivesecurity.com 33
WWW.ESET.COM
ESET
ENDPOINT
SECURITY
FOR ANDROID
Do More with
your Android
endpoints secured
•
•
•
Secure your company smartphones and tablets,
wherever business takes them.
Protect all applications, files and memory cards.
Track phones that go missing and lock them remotely.
Shutterstock © Nata-Lia
8 tips to
protect
your business
By Carole Theriault, Director, Tick Tock Social
We all know that having employees
trained in safe computing practices is a
good idea. Not only does it help to protect
the integrity of the network, but having
alert and informed users can provide an
extra layer of security as they can raise the
alarm if they see something suspicious.
The problem many companies face is how
to get users on board. Some companies use
fear tactics, threatening reprimands and even
dismissal if users are found to have breached
protocol. Having IT teams act like office
authorities may seem like a good idea, but
it does have a serious downside: a user who
screws up or sees something suspicious
may shy away from reporting the problem
to avoid the consequences.
There is a better approach. It does take
some resources to set up, but running an
internal security campaign that informs and
encourages users about the key security points
helps to safeguard your own network, and it
will also provide them with skills they can use
at home to keep their own computers free from
malicious attacks.
With that in mind, we’ve created eight
security tips for you to share with your employees.
Security tips
Security breaches are no fun for anyone,
and are best avoided at all costs. While you
will have security in place to protect the
network, you’ll need employee help to keep
risks to a minimum and alert you if they see
something suspicious. Check out these tips
to help you prevent any of the bad stuff
from getting in:
1) Keep sensitive information out of sight.
When you have visitors in the office, keep all sensitive information
out of sight. Avoid leaving any information lying around, on your
desk, shared meetings rooms and at the printer or photocopier.
2) Lock your devices.
Set your computer, laptop, tablets and mobiles to lock automatically
after two minutes of non-activity, keeping them safe from prying eyes.
3) Think before you share information on the phone.
Avoid giving away employee, financial or sensitive company information
on the phone. Try to verify the caller’s identity. And if something
like this doesn’t feel right, report it to your boss or the IT team.
4) Consider using an application to manage passwords.
Having strong, unique passwords for each login is important, but impossible
for users to remember. Use a password manager – then you only need to
remember one password. Remember to make your master password strong.
5) Watch out for suspicious emails and dodgy links.
Suspicious emails and links should not be opened or even previewed.
Just delete them. Opening or viewing these emails and links can
compromise your computer and invite in an unwanted problem.
6) Tell IT before you connect personal devices to the network.
Devices like USBs, music players and smartphones can be compromised
with code waiting to launch as soon as they are plugged into a computer.
Talk to IT and let them make the call to keep you and your company safe.
7) Don’t install unauthorized apps or programs on your work devices.
Check with IT before installing unauthorized programs on your
company devices. Malicious applications often pose as legitimate
programs, like a game, a tool, and even security software!
8) Avoid using an unprotected network.
When you travel, you might be tempted by free WI-FI. The issue is that these
networks can be compromised. Make sure you talk to IT before you connect,
so they can provide you with a VPN to make your connections more secure.
welivesecurity.com 35
TECH INSIGHT
A SCAM-SPOTTER’S GUIDE:
THINGS YOUR BANK
WILL NEVER DO – BUT
CYBERCRIMINALS WILL
By Rob Waugh, We Live Security contributor
Technologies change, but cybercriminals
will always dream up new ways to fool
you into handing over your bank details,
whether via phishing emails, SMS or phone.
instead, download from official app stores, and
ensure yours is up to date. Advanced malware
can compromise both PCs and smartphones,
bypassing bank security systems.
These days cybercriminals will use phone calls
and even couriers in an effort to get your money.
Many of these attacks can seem very convincing.
The key to staying safe is to recognize behavior
that isn’t quite “right”. Here are some things a
bank will never do – but a phisher, or thief, will.
Use shortened URLs in an email
Cybercriminals use a variety of tricks to make
a malicious Web page appear more “real” in an
email that’s supposedly from your bank – one
of the most basic is URL-shortening services.
Don’t ever click a shortened link. Go to the bank’s
Website instead (the usual URL you use), or call
them.
Text asking for details to “confirm” it’s you
Your bank may well text you, for instance to
confirm an online transaction, but bank texts
will not, ever, ask you to confirm details such as
passwords. Banks also won’t update their apps
via text message. If you’re suspicious, don’t click
links, don’t call any numbers in the text. Instead,
call your bank on its “normal” number – Google it
if you don’t know – and check whether the text is
from them.
Give you a deadline of 24 hours before your
bank account erases itself
Many legitimate messages from your bank will
be marked “urgent”, particularly those related
to suspected fraud, but any message with a
deadline is suspicious. Cybercriminals have
to work fast – their websites may be blocked
rapidly – and need you to click without thinking.
Banks just want you to get in touch.
Send you a link with a “new app”
Your bank will not distribute apps in this way –
36 welivesecurity.com
Send a courier to pick up a “faulty” card
The courier scam is a new one – your phone
rings, it’s your bank, and they need to replace a
faulty bank card. The bank tells you that a courier
will arrive shortly. A courier turns up, asks for
your PIN as “confirmation”, and your money
vanishes. If your card is faulty, a real bank will
instruct you to destroy it.
Call your landline and “prove” it’s the bank
by asking you to call back
A common new scam is a phone call from either
“the police” or “your bank”, saying that fraudulent
transactions have been detected on your card.
The criminals will then “prove” their identity by
“hanging up” and asking you to dial the real bank
number – but they’ve actually just played a dial
tone, and when you dial in, you’re talking to the
same gang member, who has remained on the
phone, waiting, and who will then ask for credit
card details and passwords.
465
50% half
The number of serious data breaches
which hit financial institutions in 2013
- nearly triple the number affecting
retailers, according to Verizon.
Email you at a new address without asking
for a new way to get in touch
If your bank suddenly contacts you on your
work email (or any other address than the one
they usually use), worry. Banks will not add new
email addresses on their own. If you want to
be ultra-secure, create a special email address
just for your bank, don’t publish it anywhere, or
use it for anything else – that way, emails that
appear to be from your bank probably ARE.
Use an unsecured Web page
If you’re on a “real” online banking page, it
should display a symbol in your browser’s
address bar to show it is secure, such as a
locked padlock or unbroken key symbol. If that
symbol’s missing, be very, very wary. This is one
reason why it’s best to browse an online banking
page from your computer – on a smartphone,
it can be more difficult to see which pages are
secure.
Address you as “Dear customer” or dear
“youremail@gmail.com”
Banks will usually address you with your name
and title – i.e. Mr Smith, and often add another
layer of security such as quoting the last four
digits of your account number, to reassure
you it’s a real email, and not phish. Any emails
addressed to “Dear customer” or “Dear [email
address]” should be treated as spam.
Send a message with a blank address field
If you receive a personal message from your
bank, it should be addressed to you – not just
in the message, but in the email header. Check
that it’s addressed to your email address – if it’s
blank, or addressed to “Customer List” or similar,
be suspicious.
Ask for your mother’s maiden name
When banks get in touch they may ask for a
password, or a secret number. What they won’t
do is ask for a whole lot more information “to be
on the safe side”. If you see a form asking for a
large amount of information, close the link and
phone your bank.
The percentage of staff who
fall for phishing emails,
according to Proofpoint.
The fraction of the world’s 50 biggest
banks which have faced attacks via Web
apps, according to High-Tech Bridge.
double
The effectiveness of a LinkedIn invitation compared to other forms of
phishing attack when aimed at corporations, according to Proofpoint.
466k
$3.2m
36%
80%
$5 billion
The number of cardholders
at JP Morgan whose details
leaked in a 2013 hack.
The amount Aleksandr
Panin, “one of the world’s top
writers of banking Trojans,”
made from his SpyEye.
The percentage of companies which
still provide no cyber risk training,
according to Zurich Insurance.
of business leaders do not feel fully
prepared for the effects of a cyber
attack, according to a new survey by
the Economist Intelligence Unit.
The cost of cybercrime per year, according to a Microsoft survey.
welivesecurity.com 37
TECH INSIGHT
ROUTER ATTACKS:
FIVE SIMPLE TIPS TO
LOCK CRIMINALS OUT
By Alan Martin, We Live Security contributor
Cybercriminals always look for the
weakest link when planning their attacks
– often it’s human error, such as weak
passwords or opening phishing emails,
but failings in home routers can allow
another “way in”.
Over the past year, researchers have repeatedly
shown that the devices can contain “backdoors”
which allow attackers access to your private
data. Once known, this information will circulate
rapidly among cyber gangs. We also don’t
help ourselves. A study of 653 IT and security
professionals and 1,009 remote workers found
that 30% of IT professionals and 46% of remote
workers do not change default passwords on
their routers. So far, router attacks are a new
and evolving phenomenon – but it’s worth
protecting yours.
1) Don’t leave your username as ‘admin’
The first, and most important step, is to change
your router’s password from its default. Routers
ship with a Web page allowing users to adjust
settings, with default passwords and usernames
such as “admin”. These are widely known to
hackers, and should be changed immediately.
2) For extra security, change the firmware
A recent survey found that around 80% of
the top-selling “small office/home” routers
on Amazon shipped with known “critical”
vulnerabilities, making them easy prey for
cybercriminals. ESET Malware Researcher
Olivier Bilodeau says, “For the relatively
advanced consumer: install an alternative
open source firmware on your router.” These
are replacement versions of the official
firmware – and often more secure. This is not
for beginner PC users, but clear instructions
can be found online as to how to install.
Bilodeau recommends:
Tomato: www.polarcloud.com/tomato
DD-WRT: www.dd-wrt.com/site/index
Open-WRT: https://openwrt.org/
Around a third of IT professionals admit to never
changing the default settings on routers, giving
cybercriminals a potential ‘way in’ to networks.
38 welivesecurity.com
3) Make sure your encryption is up to scratch
Older routers with WEP encryption are vulnerable
– check which one you’re using on your settings
page. If it’s WEP, change to the more secure
option WPA. Or buy a new router.
4) Don’t tell the neighbors your name
Wi-Fi networks have a network name – known
as an SSID – and most ship with a default name,
which often includes the brand. For a potential
attacker – for instance, against a small business
– this is useful information. Some models have
vulnerabilities that make router attacks easy,
It’s worth considering making yours a “hidden
network” – disabling the broadcast of the SSID’s
name. That way you’re less visible to attackers –
and to connect new devices, simply type in your
network’s name on the gadget.
5) Know who’s connecting to your network
Any PC or mobile computing device has a unique
identifying number known as a MAC address. If
you access your router’s settings, you can select
which devices can and cannot connect to your
network – meaning for instance, a neighbour
couldn’t log in, or a teenage visitor could not
access unsuitable sites via a smartphone. Add
the MAC addresses of all authorized devices in
the home – iPhones, tablets, laptops etc. – to the
router’s authorized list. No other device will then
be allowed. You can find the MAC addresses of
mobile phones and other portable devices under
their network settings, though this will vary for
each device. Check with the manufacturer.
welivesecurity.com 39
FEATURE
Small fish, big risks
Why even the smallest businesses need to
have a security policy in place.
By Stephen Cobb, Senior Security Researcher, ESET
A while back, I offered a Webinar
on information security policy
entitled “How can your small
business make security policies
pay off?” If you missed it, there’s
a recording at eset.com that
you can view at any time.
During the question-and-answer
session towards the end of the
recording, a member of the audience
asked the following: “You talk about
policy singular but also multiple policies.
Which do I need?”
This really got me thinking about
how information security people
talk about policy and I realized it
can be confusing. So here are some
explanations about security policy,
policies, and a thing called WISP.
First of all, what does it mean for an
organization to have an information
security policy, singular? It means
that the organization has stated and
recorded its commitment to protecting
the information that it handles.
For example, here’s what Acme Bicycle
Company might say: “It’s the policy of ABC
that information, as defined hereinafter,
in all its forms – written, spoken, recorded
electronically or printed – will be
protected from accidental or intentional
unauthorized modification, destruction
or disclosure throughout its life cycle.
This protection includes an appropriate
level of security over the equipment and
software used to process, store, and
transmit that information.”
This statement of overall policy
usually appears as the preamble to a
series of more specific policies.
40 welivesecurity.com
For example, there may be a section
on risk management:
“A thorough analysis of all ABC
information networks and systems
will be conducted on a periodic
basis to document the threats and
vulnerabilities to stored and
transmitted information.”
There should probably be a virus
protection policy. That might say
something like this:
“Virus-checking systems approved
by the Information Security Officer
and Information Services must
be deployed using a multi-layered
approach (desktops, servers, gateways,
etc) that ensures all electronic files are
appropriately scanned for viruses. Users
are not authorized to turn off or disable
virus-checking systems.”
So there are multiple specific policies
below the overall information security
policy. There is another term you may
see when people talk about information
security policy and that is information
security program, and sometimes
written information security
program or WISP (not to be confused
with wireless Internet service provider).
WISP is a term that encompasses all
relevant policies plus your organization’s
program for implementing them. I like
the term because it implies something
more practical than just a collection
of policies sitting in a binder (although
the WISP will likely sit in a binder,
too). Regular readers may recall that
WISP plays a prominent role in some
information security legislation, notably
the law in Massachusetts that says:
“Every person that owns or licenses
personal information about a
resident of the Commonwealth shall
develop, implement, and maintain a
comprehensive information security
program that is written in one or
more readily accessible parts and
contains administrative, technical,
and physical safeguards…”
I won’t go into the details about the
Massachusetts legislation since
the main points were covered in that
earlier article, but suffice it to say I
think that every business, large or
small, needs to have a WISP. This may
simply be an attachment to existing
policies that says:
“The ABC Written Information
Security Program consists of the
enclosed policies and the steps we
take to enforce them, including
dissemination of polices to all new
employees and the regular training
of all employees on how to uphold
the policies in their work, together
with a periodic management review
of the program to ensure that all
aspects of information security in
our organization are appropriately
addressed at all times.”
Now, if you meet resistance when it
comes to the not inconsiderable effort
of creating and executing a WISP, try
persuading skeptics with a litany of
examples of genuine small firms that
went out of business or suffered severe
loss because of cyber criminals, many of
whom could have been defeated if the
victim had been on top of the problem.
Where to find the facts? The highly
reliable Brian Krebs has a sobering
collection of small biz cases,
constantly updated.
Why a WISP may deal you a
winning hand
Suppose you run the Acme Bicycle
Company and have developed a new
style of bicycle pedal. Will Joe Consumer,
who just wandered into your retail
store, ask to see your WISP before he
buys pedals from you? Probably not. But
suppose you’re bidding to supply a lot
of pedals wholesale to the MegaSports
chain. Will MegaSports want to see your
WISP? Probably.
I have seen the lengthy compliance
documents that some large companies
present to smaller ones with whom
they want to do business and, without
a WISP, it is going to be hard to comply
in a timely fashion, which means you
could lose the business to a competitor
who already has its security program
in place and documented. Here is
language from one such document
which was attached to a juicy contract,
as a condition of doing business:
“Vendor must have a written policy
that addresses information security,
states management commitment to
security, and defines the approach to
managing information security.”
And here are some questions which
another big vendor put to an SMB,
again as part of the contract process:
l Are there documented policies and
procedures for managing security?
l Does the vendor perform internal
reviews of security policy and technical
compliance?
l Are security policies and procedures
disseminated to all vendor employees?
So, getting your information security
policy in order is not a wish-list item or
a “nice to have but not essential” extra
for your business. Not only is a WISP
essential to succeed in fending off the
bad guys (who are most definitely
targeting small businesses these days);
it also helps you to win business.
You could lose
business to a
competitor who
has a security
program in place
welivesecurity.com 41
42 welivesecurity.com
66%
10
The big mistakes YOUR company
could be making with passwords
Enforce a password policy that requires regular, substantial changes, i.e., not
simply adding numbers or special characters on the end. These customized
passwords, known as “joe” passwords, are a gift for criminals to crack.
Don’t trust your employees to abide by policies – a password-strength meter
on the password entry page will help employees understand why some
passwords are better, and how to choose a secure one.
The programs criminals use will also look for parts of employees’ names or
usernames being reused in your password.
Much in the same way that Heisenberg has become a popular name for
babies in the wake of the TV series Breaking Bad, popular films and books
are a common password choice – and thus weak.
If your site is breached, change EVERY password.Eventually, left unchanged,
even strong passwords WILL crack.
$5 billion
The cost of identity theft worldwide,
according to a Microsoft poll of
10,000 consumers, which found that
many still failed to take basic security
precautions to protect passwords.
80%
The number of Website
users who admit to being ‘locked out’
of sites due to forgotten passwords,
according to Ping Identity.
Telepathy
Nope, not the latest cybercrime tactic
– a Microsoft tool that shows you how
predictable your password is. Type
yours into Telepathwords, and the tool
predicts the next letter. Scary.
55
The number of letters popular
password-cracker app Hashcat can
now deal with. Previously, security
wisdom was “the longer the better” –
but even long passwords are no
longer immune.
The brainwave-scanning hat
Wearing an electronics-laced hat
as a car key might seem surreal
but according to researchers at
Tottori University, the device could
provide near-unbreakable security.
“Measuring the driver’s brainwaves
continually would be straightforward
and allow authentication that could
not be spoofed by an imposter,” the
researchers write. “If the wrong
brainwaves are detected, the
vehicle is immobilized.”
The password pill
Regina Dugan of Motorola showed
off a password you can actually eat
– a vitamin-style piill that dissolves
in stomach acid, and can be read by
scanners to authenticate the wearer.
“I take vitamins every day, why can’t I
take a vitamin authentication every
day?” asked Dugan. ”Your entire body
becomes an authentication token.
It becomes your first superpower:
when I touch my phone, computer,
front door, or car I am authenticated.”
Shutterstock © Axstokes
Shutterstock © flydragon
The number of Post-It
notes with passwords written
down on them found in the office
of the Chief Information Officer
for US Immigration and Customs
Enforcement.
Shutterstock © Thirteen
The number of couples who
share passwords for email accounts,
according to Pew Internet Research –
a touching, but risky practice.
Shutterstock © gosphotodesign
2 million
With weak or leaked passwords taking the blame for hacks as diverse
as the Target breach and the New York Times attack, where the Website’s
front page was defaced, it’s no surprise that Silicon Valley hopefuls
are suggesting new ideas – some clever, some cumbersome, some
downright odd. Here are some of the best.
The number
of Adobe users who chose “123456”
as their password – out of 40 million
passwords leaked online.
By Alan Martin, We Live Security contributor
When cybercriminals broke into the
email system of Fazio Mechanical
Services in 2013, it probably seemed,
to a casual observer, that they had
too much time on their hands.
The company had been targeted for
a reason: one of its clients was retailer
Target, and thanks to the fact that
air-con never sleeps, the company had
access to Target’s systems. It was the
first step in the biggest credit-card heist
in history, which some estimates claim
affected one in three Americans.
Microsoft’s Bill Gates famously said,
“Passwords are the weakest link” – but
many of us make no effort to strengthen
ours. When Adobe was breached late last
year, the list of common passwords was
enough to make a security professional
weep. The word “password” is still used
by hundreds of thousands of people,
and “123456” was used by two million.
Worse still, password specialist Dashlane
says that two thirds of businesses fail
to warn customers who pick such
insecure passwords. When a company is
breached, the defense – “Our customers
are really stupid” – isn’t going to sound
good in court.
Password-cracking has changed.
Cybercriminals WILL crack any password,
no matter how complex. With a “dump”
of stolen, encrypted passwords, and the
right software, they can hammer away
until they break in. But if you’ve chosen
“password” or “123456”, yours will be the
first to go. Here, ESET’s experts present
tips for users – and companies – to help
ensure cyber gangs don’t see you as an
easy target.
What next for passwords?
Shutterstock © Zametalov
Passwords are
the weakest link
THE FACTS
The fingerprint reader that can’t
be fooled
Ever since fingerprint readers have
existed, people have found ways to
fool them – but a new scanner from
Biocryptology looks for blood under
the skin, to avoid criminals using plastic
(or dead) digits. Klaus Zwart, CEO, says,
“It uses UV, infrared and temperature
sensors to look for blood flow, body
temperature and pH to ensure that not
only does the finger ‘look’ right, but that
it’s also a live finger.”
The tongue scanner
Tongueprints are not about to replace
fingerprints – but Google may soon
require us to waggle our tongues at
the camera for its face passwords. A
long-standing problem with any visual
password system is that some can be
fooled by photographs – hence Google
patented a facial-password system,
where users could unlock phones using
facial expressions. So you’d have to stick
out your tongue or frown at the camera
instead of typing a password.
welivesecurity.com 43
TECH INSIGHT
Love your Android
Why malware protection is just the start for
effective security on Android smart devices
By Branislav Orlik, Product Manager, ESET
Android devices face a wide range
of dangers - from a colleague
reading your emails over your
shoulder (surprisingly easy, and
something which no app can defend
against) to more serious threats from theft to phishing sites.
ESET Mobile Security aims to provide
peace of mind. It is not built around
scare tactics - used by some companies
- where the threat of high-tech new
malware is hyped at every opportunity.
It’s built to allow users more control,
and to deal with every problem the user
faces while browsing or using apps, not
just the ones that make good headlines
on the tech blogs. ESET Mobile Security
provides protection even for less
experienced users. Our app is a new
way of thinking about Android security
- and a new level of peace of mind for
our users.
Android under attack
Malware on devices using Android
OS is a growing problem. ESET’s Virus
Radar detects new variants of malware
daily - including serious threats such as
ransomware - and the malware itself
is becoming more dangerous month
by month. But the sheer number of
Android devices brings a new set of
security concerns apart from malware.
Our app focuses on protecting your
data 24/7 - however users use their
handsets. We wanted to ensure users
were protected in every eventuality.
44 welivesecurity.com
Some Android users take big risks using third-party unofficial stores or
downloading ‘cracked apps’ from stores
outside official Google’s Play store.
ESET Mobile Security will provide clear
warnings to users, even for those.
Moreover, Google itself has improved
security in the Google Play store, and
we have ensured that Mobile Security
provides added value on top of that.
What’s the real problem?
Serious security vulnerabilities are
patched rapidly - and consumers are
often safe before the vulnerability is
known to the public. The open nature
of Android means that malware and
various vulnerabilities will always be
around - but for many users, these are
not the real problems. ESET Mobile
Security app protects the users first.
Their devices contain personal details
- for gangs, it’s not worth breaching,
in the same way as they might hack
a major company, so criminals use
malware to “leech” instead. Leeching
personal information is not the only
threat, either - malware can cost you
money - some malicious Android apps
can bypass the ‘two-factor’ security
systems used by online banks, allowing
criminals access to user’s accounts, or
can send premium SMS messages or
make calls to expensive numbers.
What ordinary users worry about
For an ordinary Android user,
the biggest problem is “data
leeches”. When a user installs an app,
they will see a list of permissions - such
as making calls, sending SMS messages
or even for recording video without the
user’s knowledge (as happened recently
with Facebook’s Messenger).
It’s easy for apps to misuse this data
- particularly when adware harvests
information without permission, and
it is sold to third-party data brokers
- or when apps fill your devices with
full-screen ads. Users also face simpler
problems, such as when a thief
snatches a handset and sells identifying
information. ESET Mobile Security
blocks all of these threats - from rogue
apps, to human thieves, to phishing
sites. In their review, AV-Comparatives’
described our app as “outstanding”.
How IT security is changing
The way users interact with their
devices has changed hugely. Antivirus packages are an old way of
doing things. For a user, their family
photographs and contacts list are
important - hence ESET Mobile Security
doesn’t restrict itself simply to chasing
high-profile malware. It also protects
against theft or loss - allowing a remote
wipe, siren, or geo-location of a lost
device from the my.eset.com portal or
by using simple SMS commands.
Why EMS offers more
One of the threats that’s brushed under
the carpet in most apps is phishing.
Our app deals with this common
problem - without inconveniencing the
user - via an anti-phishing tool blocking
site. Even if these phishing threats
don’t employ malware, fake forms can
harvest user details just as efficiently.
Our app’s various call-blocking systems
give users control over abusive callers or tech-support scammers.
New applications are audited - and
users are warned of risks from apps
which request suspicious permissions
and also warned of the risks of open
Wi-Fi networks - which can be misused
by eavesdroppers. ESET Mobile Security
software will keep user information
safe even if their device is stolen. Our
anti-theft feature will help to not only
track it - but even identify the thief.
Unless the criminal takes extreme steps
such as destroying the device, we can
help to recover it. This is the modern
face of phone security software.
Home users and ‘BYOD’
Android malware can threaten the
privacy of anyone - private users, or
big companies. Much of the malware
infecting the world’s army of Android
handsets is built to insert aggressive
adverts throughout the OS - or to
obtain identifying information.
The trend for users to ‘bring their
own device’ to work can undermine
corporate security, unless employees
use an app such as ESET Mobile Security,
which will help to underline the security
rules of the company, when used in
partnership with IT staff. For example,
at last year’s I/O conference, Google
announced a billion active Android
users. Most of these users will try
‘freemium’ apps, offered in millions,
which can harvest data on a scale
never seen before.
What does ESET Mobile Security
offer its users?
ESET Mobile Security gives users
significant control over devices that
increasingly contain information more
valuable than the phones themselves.
It is easy to install, the database of
threats is updated daily - and the app
walks users through all of its functions.
Afraid of what has happened to your lost
device? Remote-wipe it. Worried that
your app has too many permissions?
We will warn you. And our Live Grid and
regular scans ensure that if a “big” Android
malware attack hits, our users are ready.
Scammers, thieves, phishers, and
malware writers will have a much
more difficult job if your device runs the
ESET Mobile Security app - constantly
updating to ensure we’re always a
step ahead.
welivesecurity.com 45
INTERVIEW
www.eset.com
Why do so few kids learn
computer science?
Lysa Myers, Security Researcher, ESET
The city of Chicago, Illinois
recently announced a change
to the curriculum for schools in
their district that would introduce
children as young as primary
school age to computer science
concepts. It would also allow
students to count computer
science as a core subject that
fulfills graduation requirements,
rather than simply be an elective.
This sounds like a big step in the
right direction. But what does
the boost for computer science,
often affectionately abbreviated to
comp-sci, mean in the grand scheme
of things?
One might think that getting kids
interested in computers would be
considered something of the utmost
importance. But apparently this is
not yet the case. In many states in
the US, if computer science is
offered at all, it is considered an
elective subject, which means it
does not count towards a student’s
graduation requirements.
What is happening elsewhere?
I naturally wondered how this
compared with that of other countries.
The US is behind some countries,
ahead of others, but few are perfect.
Why does K-12 computer
science matter?
For those of us who have been out of
high school for more than a few years,
this announcement from Chicago
might come as a surprise. Aren’t all
kids getting computer science
classes already?
To get an idea of the differences in
culture, let’s look at a couple of very
dissimilar examples. In Finland,
which is generally the country in
Europe whose scores in reading,
math and science are consistently
highest, there is little focus on taking
standardized tests. Being strong
in multiple languages is a primary
focus for their educational system.
The percentage of people needing to
use computers proficiently seems to
be rapidly approaching 100%, at least
for skilled jobs in the US. And in terms
of job security and satisfaction,
technical jobs have much to offer.
In lists of the best, the most lucrative
and most in-demand jobs, computer
experts are always in the top five.
In South Korea, another very highlyrated country, things are very different.
Students typically go to school for
incredibly long hours. In both Korea
and Finland, like in the US, computer
science is considered an elective.
But in practice, Korean students get
much more exposure to computerrelated topics, in part because those
46 welivesecurity.com
long days give them more time.
There is also much more focus
on digital literacy and ethics.
But digital literacy is not the same
as understanding how computers
actually work.Computer Science in
many countries may cover no more
than basic Java programming.
For those of us in a computer-related
field, this is laughably inadequate.
But fortunately, there are things that
you and I can do.
Ask your local teacher about
computer education
Does your local school teach
children how to use computers
safely? What other subjects do
they cover, such as programming
or algorithms?
Sign a petition to make computer
science count. For the US, there are
already several on Change.org.
Learn more at Code.org
Code.org has an incredible variety
of resources available for people
that want to help spread the word.
For those who are educators, or who
have kids they would like to inspire,
they have even more options to offer.
If you are a software engineer, they
include yet another list of ways you
can help. And last but not least,
donations are always helpful.
A HIGH-VALUE,
TOP-RATED APP
– FEATURING YOUR BRAND
Find out how to customize ESET Mobile Security
with your logo – and leverage ESET’s market-leading
security technology in your markets.
DO MORE
Whether you’re managing your business, or overseeing your company’s I.T.,
ESET’s security products are fast, easy to use, and deliver market-leading
detection. We deliver the protection that allows you to DO MORE. Find
out more at ESET.COM
WITH YOUR I.T.
SECURED BY ESET
49 welivesecurity.com